Security researcher Jose Rodriguez uncovered a lock screen bypass bug affecting Android 14 and 13, potentially exposing sensitive data in users’ Google accounts. The vulnerability allows a threat actor with physical access to a device to access photos, contacts, browsing history, and more, posing a significant security risk. Rodriguez reported the issue to Google in May, but as of late November, there was no scheduled date for a security update, raising concerns about the ongoing exposure of user data.
Rodriguez initially sought assistance on multiple platforms, including Twitter, Reddit, and Telegram, in opening a Google Maps link from the lock screen. Subsequently, he discovered the lock screen bypass, indicating that Google has been aware of the issue for at least six months. Despite the potential severity of the vulnerability, Google has yet to address it, leaving users vulnerable to exploitation by threat actors with physical access to their devices.
The impact of the exploits varies based on the user’s installation and configuration of Google Maps, with severity escalating if the DRIVING MODE is activated. For users without DRIVING MODE, an attacker can access recent and favorite locations, contacts, and share real-time location information with contacts. However, with DRIVING MODE activated, the attacker, through additional exploits, gains access to device photos, extensive information and configuration of Google accounts, and the ability to gain full access to the account from another device. Rodriguez encourages Android users to test the screen lock bypass on their phones and share feedback, including Android version and device model, to raise awareness of the potential risks and vulnerabilities associated with this issue.
